Expel Workbench

the expel workbench connector enables seamless integration with swimlane turbine, allowing for automated security incident management and threat response expel workbench is a comprehensive security operations platform that enables real time threat detection and response this connector allows swimlane turbine users to integrate with expel workbench, providing streamlined access to a suite of investigative and remediation actions by leveraging this integration, security teams can automate the retrieval and updating of alerts, investigations, and associated actions, enhancing their incident response capabilities and operational efficiency within the swimlane ecosystem prerequisites to effectively utilize the expel workbench connector with swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for expel workbench api access api key unique identifier to authenticate requests to expel workbench obtaining an api key api keys are obtained through your expel engagement manager please contact expel capabilities this expel workbench integration provides the following capabilities get expel alerts get investigations get investigation actions get investigation alerts get investigation findings get investigation remediations get security devices get vendor alerts update alerts update investigation update investigative actions documentation api documentation https //workbench expel io/api/v2/docs/ configurations expel workbench api key authentication authenticates using api token configuration parameters parameter description type required url a url to the target host string required token the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get expel alerts retrieves a list of alert records from expel workbench, offering an overview of security notifications endpoint url api/v2/expel alerts method get input argument name type required description filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes alert type string type of the resource created at string output field created at expel name string name of the resource expel severity string output field expel severity expel version string output field expel version expel alias name string name of the resource expel signature id string unique identifier expel message string response message ref event id object unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get investigation actions retrieve a list of actions linked to an investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/investigative actions method get input argument name type required description investigation id string required investigation id filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes status string status value title string output field title instructions string output field instructions created at string output field created at updated at string output field updated at status updated at string status value reason string response reason phrase results string result of the operation close reason object response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get investigation alerts retrieve alerts linked to a given investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/expel alerts method get input argument name type required description investigation id string required investigation id filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data file name string name of the resource file string output field file included array output field included file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "content type" "application/vnd api+json", "transfer encoding" "chunked", "connection" "keep alive", "date" "thu, 02 may 2024 05 49 00 gmt", "vary" "accept encoding", "x expelinc req id" "3624cae4 bb19 45f3 9155 68cbf5473522", "access control allow origin" " ", "access control allow methods" "get, post, patch, delete, options", "access control allow headers" "", "cache control" "private, must revalidate, max age=0", "expires" "thu, 01 jan 1970 00 00 00", "server" "nginx", "content encoding" "gzip", "set cookie" "ingresscookie=4e3f5d23 62c6 43f2 899a 7b1b7e67be9e; path=/; same site=lax; httpo ", "x request id" "a8e0da38 9d2b 42c5 8db0 58d9fcd38196" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get investigation findings retrieve findings linked to a specific investigation in expel workbench by providing the investigation id endpoint url api/v2/investigations/{{investigation id}}/findings method get input argument name type required description investigation id string required investigation id filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes title string output field title finding object output field finding created at string output field created at updated at string output field updated at deleted at object output field deleted at rank number output field rank finding type object type of the resource finding data object response data links object output field links example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get investigation remediations retrieve remediation records for a given investigation id in expel workbench, requiring the investigation id as a path parameter endpoint url api/v2/investigations/{{investigation id}}/remediation actions method get input argument name type required description investigation id string required investigation id filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes status string status value action string output field action created at string output field created at updated at string output field updated at status updated at string status value deleted at object output field deleted at template name string name of the resource version string output field version action type string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/vnd api+json", "transfer encoding" "chunked", "connection" "keep alive", "date" "wed, 01 may 2024 11 02 19 gmt", "vary" "accept encoding", "x expelinc req id" "608e7985 0a1d 410a 9ac4 5df1b9bd0a62", "access control allow origin" " ", "access control allow methods" "get, post, patch, delete, options", "access control allow headers" "", "cache control" "private, must revalidate, max age=0", "expires" "thu, 01 jan 1970 00 00 00", "server" "nginx", "content encoding" "gzip", "set cookie" "ingresscookie=81d697e0 47e1 4596 b493 d4ec1fcefb99; path=/; same site=lax; httpo ", "x request id" "9f89213d 9d22 47d8 9432 e7fdbe2ca404" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get investigations retrieve a list of investigation records from expel workbench to review security incidents and their statuses endpoint url api/v2/investigations method get input argument name type required description filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes created at string output field created at analyst severity object output field analyst severity title string output field title decision string output field decision is incident boolean unique identifier threat type object type of the resource attack vector object output field attack vector detection type object type of the resource attack timing object output field attack timing example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get security devices retrieve a detailed list of security devices, including type and status, from expel workbench endpoint url api/v2/security devices method get input argument name type required description filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data type string type of the resource id string unique identifier attributes object output field attributes name string name of the resource location string output field location status string status value device type string type of the resource created at string output field created at updated at string output field updated at status updated at string status value device spec object output field device spec plugin slug string output field plugin slug example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] get vendor alerts retrieve a comprehensive list of vendor alerts from expel workbench to overview security notifications endpoint url api/v2/vendor alerts method get input argument name type required description filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier page object output field page offset number output field offset limit number output field limit total number output field total links object output field links self string output field self data array response data file name string name of the resource file string output field file included array output field included file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "content type" "application/vnd api+json", "transfer encoding" "chunked", "connection" "keep alive", "date" "wed, 01 may 2024 23 18 59 gmt", "vary" "accept encoding", "x expelinc req id" "131d107e d777 43da a5f1 db7e9965c020", "access control allow origin" " ", "access control allow methods" "get, post, patch, delete, options", "access control allow headers" "", "cache control" "private, must revalidate, max age=0", "expires" "thu, 01 jan 1970 00 00 00", "server" "nginx", "content encoding" "gzip", "set cookie" "ingresscookie=faa4bf8a e039 4814 9987 74b6e87596ae; path=/; same site=lax; httpo ", "x request id" "6181c51b ce2e 4161 8a3c cf17099f7b6b" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" \[], "included" \[] } } ] update alerts updates specific fields and relationships for an alert in expel workbench using the provided expel alert id endpoint url api/v2/expel alerts/{{expel alert id}} method patch input argument name type required description expel alert id string required expel alert id data object optional response data attributes object optional parameter for update alerts expel severity string optional expel alert severity alert type string optional expel alert type allows null value also close comment string optional expel alert close comment allows empty string or null close reason string optional expel alert close reason cust disp alerts in critical incidents count number optional allows null value cust disp alerts in incidents count number optional allows null value cust disp alerts in investigations count number optional allows null value cust disp closed alerts count number optional allows null value cust disp disposed alerts count number optional allows null value disposition alerts in incidents count number optional allows null value disposition alerts in investigations count number optional allows null value disposition closed alerts count number optional allows null value disposition disposed alerts count number optional allows null value disposition alerts in critical incidents count number optional allows null value expel alias name string optional expel alert alias allows empty string or null length of the string must be less than or equal to 128 characters expel message string optional expel alert message allows empty string or null expel name string optional expel alert name allows empty string or null expel signature id string optional expel alert signature allows empty string or null length of the string must be less than or equal to 128 characters expel version string optional expel alert version allows empty string or null length of the string must be less than or equal to 40 characters git rule url string optional url to rule definition for alert allows empty string or null rapid triage priority string optional expel alert rapid triage priority ref event id string optional referring event id allows null value output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier links object output field links self string output field self data object response data type string type of the resource id string unique identifier attributes object output field attributes alert type string type of the resource created at string output field created at expel name string name of the resource expel severity string output field expel severity expel version string output field expel version expel alias name string name of the resource expel signature id string unique identifier expel message string response message ref event id string unique identifier status string status value close reason string response reason phrase close comment string output field close comment vendor alert count number count value example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" {} } } ] update investigation updates fields and relationships for an existing investigation in expel workbench using the provided investigation id endpoint url api/v2/investigations/{{investigation id}} method patch input argument name type required description investigation id string required unique identifier data object optional response data attributes object optional parameter for update investigation analyst severity string optional analyst severity allows null value title string optional allows empty string or null value length of the string must be less than or equal to 128 characters attack timing string optional attack timing allows null value attack vector string optional attack vector allows null value close comment string optional close comment allows empty string or null value critical comment string optional critical comment allows empty string or null value decision string optional decision allows null value detection type string optional detection type allows null value initial attack vector string optional initial attack vector allows empty string or null value is downgrade boolean optional is downgrade is incident boolean optional is incident is surge boolean optional is surge last published value string optional last published value allows empty string or null value malware family string optional malware family allows empty string or null value next steps string optional recommended next steps for starting this investigation or handling this incident allows empty string or null value open reason string optional open reason allows null value open summary string optional reason the investigation/incident was opened allows empty string or null value source reason string optional source reason allows null value threat type string optional threat type allows null value output parameter type description status code number http status code of the response reason string response reason phrase jsonapi object output field jsonapi version string output field version meta object output field meta reqid string unique identifier links object output field links self string output field self data object response data type string type of the resource id string unique identifier attributes object output field attributes created at string output field created at analyst severity object output field analyst severity title string output field title decision object output field decision is incident boolean unique identifier threat type object type of the resource attack vector object output field attack vector detection type object type of the resource attack timing object output field attack timing attack lifecycle object output field attack lifecycle close comment object output field close comment updated at string output field updated at critical comment object output field critical comment example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "jsonapi" {}, "meta" {}, "links" {}, "data" {} } } ] update investigative actions updates specific document fields and relationships in expel workbench using the investigation id related resources can be included in the response endpoint url /api/v2/investigations/{{investigation id}}/investigative actions method patch input argument name type required description investigation id string required investigation id activity authorised boolean optional verify investigative action is authorized activity verified by string optional verify investigative action is authorized results string optional the result of the investigative action filter array optional each model has attributes as detailed in the resources documentation most attributes on most resources are filterable field string required the field you want to filter relationship field string optional each object may contain relationships the relationships exist in response data\[] relationships you can filter based on relationship attributes i e the investigation model contains the lead expel alert relationship containing an expel alert the expel alert model has the attribute created at you can filter attributes of a relationship from the investigations api endpoint operator string optional a single character operator value string required the operand value include string optional allows you to specify which relationship records you want included in the response this is useful when you are querying for a record, and want to resolve specific relationship data without making multiple calls sorting string optional allows you to sort by a particular attribute of a resource each field may be prefixed by a + or to signify ascending or descending sorts respectively page array optional pagination in the workbench api uses an limit/offset system field string required field can take offset/limit, the limit is defaulted to 50 if not supplied the limit may be set to zero this is useful if your api client needs a count of records without needing to retrieve the actual content of those records the record offset is defaulted to 0 if not supplied value number required limit/offset value flag array optional in addition to filter query parameter, as specified by the jsonapi spec, api supports a custom api query parameter of flags that allows callers to pass variables to the backend field string required the flag field take variables which are defined on a resource by resource basis, and will alter the behavior of a given api call also take scope enables callers to specify scopes for resources backed by sequelize when adding a scope that should be accessible from the api, after adding the scope to the scopes object in the resource model definition, add the scope's name to the api scopes array to allow it to be accessible via api value string required it will take variable values or scope's name output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 13 dec 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example access control allow headers http response header access control allow headers access control allow methods http response header access control allow methods get, post, patch, delete, options access control allow origin http response header access control allow origin cache control directives for caching mechanisms private, must revalidate, max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 01 may 2024 23 18 59 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 server information about the software used by the origin server nginx set cookie http response header set cookie ingresscookie=4fce4d23 62cc 4dd8 9e07 50c8506f2880; path=/; same site=lax; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x expelinc req id http response header x expelinc req id 28db8312 caad 4516 b8cb 2d147c62f197 x request id a unique identifier for the request 5b064179 e4bb 4379 8705 021e6a9a8c35 notes to use query parameters, refer to the documentation to identify the specific fields available for a particular action